research-article

Public Access

Automated least privileges in cloud-based web services

Authors:

Matthew Sanders,

Chuan YueAuthors Info & Claims

HotWeb '17: Proceedings of the fifth ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies

Article No.: 3, Pages 1 - 6

https://doi.org/10.1145/3132465.3132470

Published: 14 October 2017 Publication History

PDF eReader

Abstract

The principle of least privilege is a fundamental guideline for secure computing that restricts privileged entities to only the permissions they need to perform their authorized tasks. Achieving least privileges in an environment composed of many heterogeneous web services provided by a third party is an important but difficult and error prone task for many organizations. This paper explores the challenges that make achieving least privileges uniquely difficult in the cloud environment and the potential benefits of automated methods to assist with creating least privilege policies from audit logs. To accomplish these goals, we implement two frameworks: a Policy Generation Framework for automatically creating policies from audit log data, and an Evaluation Framework to quantify the security provided by generated roles. We apply these frameworks to a real world dataset of audit log data with 4.3 million events from a small company and present results describing the policy generator's effectiveness. Results show that it is possible to significantly reduce over-privilege and administrative burden of permission management.

References

[1]

Amazon Web Services. 2017. AWS CloudTrail. https://aws.amazon.com/cloudtrail/. (2017). Accessed: 2017-02-20.

Google Scholar

[2]

Amazon Web Services. 2017. AWS Identity and Access Management (IAM). https://aws.amazon.com/iam/. (2017). Accessed: 2017-02-20.

Google Scholar

[3]

Amazon Web Services. 2017. Case Studies. https://aws.amazon.com/solutions/case-studies. (2017). Accessed: 2017-03-20.

Google Scholar

[4]

Aaron Blankstein and Freedman J. Michael. 2014. Automating isolation and least privilege in web services. In IEEE Symposium on Security and Privacy. IEEE, 133--148.

Digital Library

Google Scholar

[5]

Sara Motiee, Kirstie Hawkey, and Konstantin Beznosov. 2010. Do windows users follow the principle of least privilege?: investigating user account control practices. In Symposium on Usable Privacy and Security (SOUPS).

Digital Library

Google Scholar

[6]

Jerome H Saltzer and Michael D Schroeder. 1975. The protection of information in computer systems. IEEE 63, 9 (1975), 1278--1308.

Crossref

Google Scholar

[7]

Ravi Sandhu, David Ferraiolo, and Richard Kuhn. 2000. The NIST model for role-based access control: towards a unified standard. In ACM workshop on Role-based access control.

Digital Library

Google Scholar

[8]

Jrgen Schlegelmilch and Ulrike Steffens. 2005. Role mining with ORCA. In ACM Symposium on Access control models and technologies (SACMAT).

Digital Library

Google Scholar

[9]

Hassan Takabi and James BD Joshi. 2010. StateMiner: an efficient similarity-based approach for optimal mining of role hierarchy. In Proceedings of the 15th ACM symposium on Access control models and technologies. ACM, 55--64.

Digital Library

Google Scholar

[10]

U.S. Department of Commerce. 2016. 2016 Top Markets Report Cloud Computing. http://trade.gov/topmarkets/pdf/Cloud_Computing_Top_Markets_Report.pdf. (2016). Accessed: 2017-03-23.

Google Scholar

[11]

Jaideep Vaidya, Vijayalakshmi Atluri, and Janice Warner. 2006. RoleMiner: mining roles using subset enumeration. In Proceedings of the 13th ACM conference on Computer and communications security. ACM, 144--153.

Digital Library

Google Scholar

[12]

Ruowen Wang, William Enck, Douglas Reeves, Xinwen Zhang, Peng Ning, Dingbang Xu, Wu Zhou, and Ahmed M. Azab. 2015. EASEAndroid: Automatic Policy Analysis and refinement for security enhanced android via large-scale semi-supervised learning. In USENIX Security Symposium.

Google Scholar

[13]

Yongzheng Wu, Jun Sun, Yang Liu, and Jin Song Dong. 2013. Automatically partition software into least privilege components using dynamic data dependency analysis. In IEEE/ACM International Conference on Automated Software Engineering (ASE).

Digital Library

Google Scholar

Cited By

View all

Altaleb HRajnai Z(2024)Enhancing Cybersecurity in Industrial Control Systems Through GRC Framework: Principles, Regulations, and Risk AssessmentCritical Infrastructure Protection in the Light of the Armed Conflicts10.1007/978-3-031-47990-8_20(223-233)Online publication date: 16-Mar-2024
https://doi.org/10.1007/978-3-031-47990-8_20
Shen BShan TZhou YCalandrino JTroncoso C(2023)MultiviewProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620657(7499-7516)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620657
Theodoropoulos TRosa LBenzaid CGray PMarin EMakris ACordeiro LDiego FSorokin PGirolamo MBarone PTaleb TTserpes K(2023)Security in Cloud-Native Services: A SurveyJournal of Cybersecurity and Privacy10.3390/jcp30400343:4(758-793)Online publication date: 26-Oct-2023
https://doi.org/10.3390/jcp3040034
Show More Cited By

Recommendations

Role-Based ABAC Model for Implementing Least Privileges
ICSCA '19: Proceedings of the 2019 8th International Conference on Software and Computer Applications

RBAC and ABAC are well-known access control models due to their least privileges and dynamic behavior respectively. They also have some drawbacks like RBAC is unable to provide dynamic behavior and flexibility as well as ABAC is unable to provide tight ...
Delegating Privileges over Finite Resources: A Quota Based Delegation Approach
Formal Aspects in Security and Trust

When delegation in real world scenarios is considered, the delegator (the entity that posses the privileges) usually passes the privileges on to the delegatee (the entity that receives the privileges) in such a way that the former looses these ...
A scalable attribute-set-based access control with both sharing and full-fledged delegation of access privileges in cloud computing

The Proposed scheme employs Ciphertext-policy Attribute-Set-Based Encryption for secure sharing of data using cloud servers.The proposed scheme provides users complete liberty on delegation of their access privileges.Shared access privileges are provided ...

Comments

Information & Contributors

Information

Published In

HotWeb '17: Proceedings of the fifth ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies

October 2017

97 pages

ISBN:9781450355278

DOI:10.1145/3132465

Program Chairs:
Qun Li
College of William and Mary
,
Songqing Chen
George Mason University

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

SEC '17

Sponsor:

SIGMOBILE
IEEE-CS\DATC

SEC '17: IEEE/ACM Symposium on Edge Computing

October 14, 2017

California, San Jose

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
478
Total Downloads

Downloads (Last 12 months)95
Downloads (Last 6 weeks)14

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Altaleb HRajnai Z(2024)Enhancing Cybersecurity in Industrial Control Systems Through GRC Framework: Principles, Regulations, and Risk AssessmentCritical Infrastructure Protection in the Light of the Armed Conflicts10.1007/978-3-031-47990-8_20(223-233)Online publication date: 16-Mar-2024
https://doi.org/10.1007/978-3-031-47990-8_20
Shen BShan TZhou YCalandrino JTroncoso C(2023)MultiviewProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620657(7499-7516)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620657
Theodoropoulos TRosa LBenzaid CGray PMarin EMakris ACordeiro LDiego FSorokin PGirolamo MBarone PTaleb TTserpes K(2023)Security in Cloud-Native Services: A SurveyJournal of Cybersecurity and Privacy10.3390/jcp30400343:4(758-793)Online publication date: 26-Oct-2023
https://doi.org/10.3390/jcp3040034
Yadlapati DSiddhartha NSeelamneni MNali ASangaraju HSridhar P(2023)Security Management Approaches Over the Cloud2023 International Conference on Sustainable Computing and Data Communication Systems (ICSCDS)10.1109/ICSCDS56580.2023.10105026(1277-1282)Online publication date: 23-Mar-2023
https://doi.org/10.1109/ICSCDS56580.2023.10105026
Quispe A(2018)Impact of Excessive Access Permissions and Insider Threat Opportunity in the Financial IndustryInternational Journal of Strategic Information Technology and Applications10.4018/IJSITA.20180701039:3(32-58)Online publication date: Jul-2018
https://doi.org/10.4018/IJSITA.2018070103
Sanders MYue CZhao ZAhn GKrishnan RGhinita G(2018)Minimizing Privilege Assignment Errors in Cloud ServicesProceedings of the Eighth ACM Conference on Data and Application Security and Privacy10.1145/3176258.3176307(2-12)Online publication date: 13-Mar-2018
https://dl.acm.org/doi/10.1145/3176258.3176307
Bushouse MReeves D(2018)Furnace: Self-service Tenant VMI for the CloudResearch in Attacks, Intrusions, and Defenses10.1007/978-3-030-00470-5_30(647-669)Online publication date: 7-Sep-2018
https://doi.org/10.1007/978-3-030-00470-5_30

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Recommendations

Role-Based ABAC Model for Implementing Least Privileges

Delegating Privileges over Finite Resources: A Quota Based Delegation Approach

A scalable attribute-set-based access control with both sharing and full-fledged delegation of access privileges in cloud computing

Comments

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Funding Sources

Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF

eReader

Login options

Full Access

Abstract

References

Cited By

Recommendations

Role-Based ABAC Model for Implementing Least Privileges

Delegating Privileges over Finite Resources: A Quota Based Delegation Approach

A scalable attribute-set-based access control with both sharing and full-fledged delegation of access privileges in cloud computing

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Funding Sources

Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Login options

Full Access

Share

Share this Publication link

Share on social media

Affiliations